----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/43776/#review120028 -----------------------------------------------------------
include/mesos/authorizer/authorizer.proto (line 87) <https://reviews.apache.org/r/43776/#comment181394> s/may/can? Or else // Objects: The principal(s) can reserve resources for these roles. I prefer the latter one which might be more clear and also consistent with the comments for `CreateVolume`. src/tests/authorization_tests.cpp (line 419) <https://reviews.apache.org/r/43776/#comment181395> s/can reserve/can only reserve resources src/tests/authorization_tests.cpp (line 424) <https://reviews.apache.org/r/43776/#comment181396> Why adding `and principal "baz" will not be allowed to reserve for roles other than "ads".` here? I think that updating the comments for `acl2` to `Principal "baz" can only reserve resources for the "ads" role.` src/tests/authorization_tests.cpp (line 452) <https://reviews.apache.org/r/43776/#comment181397> s/reserve/reserve resources src/tests/master_validation_tests.cpp (lines 236 - 238) <https://reviews.apache.org/r/43776/#comment181399> I think that we need to clarify that the `role` checking except "*" will be checked in `authorize`, the validation will not check roles except "*" now. Otherwise, someone might confused that why a framework with `roleA` can reserve resoures for `roleB`? src/tests/reservation_tests.cpp (line 1338) <https://reviews.apache.org/r/43776/#comment181401> not yours, but do you mind update this: s/This princial/The `DEFAULT_CREDENTIAL` principal src/tests/reservation_tests.cpp (line 1343) <https://reviews.apache.org/r/43776/#comment181402> ditto - Guangya Liu On 二月 20, 2016, 1:11 a.m., Greg Mann wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/43776/ > ----------------------------------------------------------- > > (Updated 二月 20, 2016, 1:11 a.m.) > > > Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway. > > > Bugs: MESOS-4591 > https://issues.apache.org/jira/browse/MESOS-4591 > > > Repository: mesos > > > Description > ------- > > Changed object of the `ReserveResources` ACL to `roles`. > > This solves a problem in which any principal could reserve resources for any > role using the '/reserve' operator endpoint. A new test, > `ReserveOperationValidationTest.DisallowReserveForStarRole`, was added. > > > Diffs > ----- > > include/mesos/authorizer/authorizer.proto > 226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 > src/authorizer/local/authorizer.cpp > 9557bbdf68ff182c4538bbf70cee576d717abc05 > src/master/master.cpp e5aaf67e63996700b2cdcdd04055ad5b04bfb085 > src/master/validation.cpp 66898e914c7b4ab83c4580be67530f355cfb05ca > src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc > src/tests/master_validation_tests.cpp > 6fae01fa1833ae05ec82618a4ae28ac5bd275bd5 > src/tests/reservation_endpoints_tests.cpp > afe81b1d38a1b3a82583720f26482ddcde8f5e85 > src/tests/reservation_tests.cpp d2ef15934556cb879f31850d52712aec77231fc7 > > Diff: https://reviews.apache.org/r/43776/diff/ > > > Testing > ------- > > Tests were altered to accomodate the new ACL object, and the test > `ReserveOperationValidationTest.DisallowReserveForStarRole` was added. > > Ran `configure && make check` and `configure --enable-libevent --enable-ssl > && make check` on OSX; all tests passed. > > > Thanks, > > Greg Mann > >